NAME

SYNOPSIS

DESCRIPTION

The smexec command manages an entry in the exec_attr(4) database in the local /etc files name service or a NIS or NIS+ name service.

Symlinked commands should not be used as an argument to smexec. If a non-existent command is passed, the smexec command accepts it, but it does not work.

subcommands

smexecsubcommands are:

add

Adds a new entry to the exec_attr(4) database.To add an entry to the exec_attr database, the administrator must have the solaris.profmgr.execattr.write authorization.

delete

Deletes an entry from the exec_attr(4) database. To delete an entry from the exec_attr database, the administrator must have the solaris.profmgr.execattr.write authorization.

modify

Modifies an entry in the exec_attr(4) database. To modify an entry in the exec_attr database, the administrator must have the solaris.profmgr.execattr.write authorization.

OPTIONS

The smexec authentication arguments, auth_args, are derived from the smc(1M) arg set and are the same regardless of which subcommand you use.The smexec command requires the Solaris Management Console to be initialized for the command to succeed (see smc(1M)). After rebooting the Solaris Management
Console server, the first smc connection may time out, so you may need to retry the command.

The subcommand-specific options, subcommand_args, must come after the auth_args and must be separated from them by the - - option.

auth_args

The valid auth_args are -D, -H, -l, -p, -r, and -u; they are all optional. If no auth_args are specified, certain defaults will be assumed and the
user may be prompted for additional information, such as a password for authentication purposes. These letter options can also be specified by their equivalent option words preceded by a double dash. For example, you can use either -D or - -domain with the domain argument.

-D | - -domaindomain

Specifies the default domain that you want to manage. The syntax of domain is type:/host_name/domain_name, where type is nis, nisplus, dns, ldap, or file; host_name is the name of the machine that serves the
domain; and domain_name is the name of the domain you want to manage. (Note: Do not use nis+ for nisplus.)

If you do not specify this option, the Solaris Management Console assumes the file default domain on whatever server you choose to manage, meaning that changes are local to the server. Toolboxes can change the domain on a tool-by-tool basis; this option specifies the domain for
all other tools.

-H | - -hostnamehost_name:port

Specifies the host_name and port to which you want to connect. If you do not specify a port, the system connects to the default port, 898. If you do not specify host_name:port, the Solaris Management Console connects to the local host on port 898. You may still have to choose a toolbox to load into the console.
To override this behavior, use the smc(1M)-B option, or set your console preferences to load a “home toolbox” by default.

-l | - -rolepasswordrole_password

Specifies the password for the role_name. If you specify a role_name but do not specify a role_password, the system prompts you to supply a role_password. Passwords specified on the command line can be seen by any user on the system, hence this option is considered insecure.

-p | - -passwordpassword

Specifies the password for the user_name. If you do not specify a password, the system prompts you for one. Passwords specified
on the command line can be seen by any user on the system, hence this option is considered insecure.

-r | - -rolenamerole_name

Specifies a role name for authentication. If you do not specify this option, no role is assumed.

-u | - -usernameuser_name

Specifies the user name for authentication. If you do not specify this option, the user identity running the console process is assumed.

- -

This option is required and must always follow the preceding options. If you do not enter the preceding options, you must still enter the - - option.

subcommand_args

Note: Descriptions and other arg options that contain white spaces must be enclosed in double quotes.

For subcommand add:

-Cclearance

(Optional) Specifies the human-readable string or hex representation of the clearance. It is a valid option
when the tsol policy is specified.

-ccommand_path|CDE_action

Specifies the full path to the command or CDE action associated with the new exec_attr entry.

-gegid

(Optional) Specifies the effective group ID that executes with the command or CDE action.

-Ggid

(Optional) Specifies the real group ID that executes with the command or CDE action.

-h

(Optional) Displays the command's usage statement.

-Llabel

(Optional) Specifies the the human-readable string or hex representation of the label. It is a valid option when the tsol policy is specified.

-nprofile_name

Specifies the name of the profile associated with the new exec_attr entry.

-ppolicy

Specifies the policy (tsol or suser) associated with the new exec_attr entry. If this option is not specified,
the default is suser.

-Ppriv_to_add1...

Specifies the privilege name(s) or privilege number(s) to add to the new exec_attr entry. Additional privileges may be specified by specifying the -P multiple times. It is a valid option when the tsol policy is specified.

-ttype

Specifies the type cmd for command, or type act for CDE action.

-ueuid

(Optional) Specifies the effective user ID that executes with the command or CDE action.

-Uuid

(Optional) Specifies the real user ID that executes with the command or CDE action.

For subcommand delete:

-ccommand_path|CDE_action

Specifies the full path to the command or CDE action associated with the exec_attr entry.

-h

(Optional) Displays the command's usage statement.

-nprofile_name

Specifies the name of the profile associated with the exec_attr entry.

-ppolicy

(Optional) Specifies the policy (tsol or suser) associated with the new exec_attr entry. If this option is not
specified, the default is suser.

-ttype

Specifies the type cmd for command, or type act for CDE action.

For subcommand modify:

-ccommand_path|CDE_action

Specifies the full path to the command or CDE action associated with the exec_attr entry that you want to modify.

-Cclearance

(Optional) Specifies the human-readable string or hex representation of the clearance. It is a valid option when the tsol policy is specified.

-gegid

(Optional) Specifies the new effective group ID that executes with the command or CDE action.

-Ggid

(Optional) Specifies the new real group ID that executes with the command or CDE action.

-h

(Optional) Displays the command's usage statement.

-Llabel

(Optional) Specifies the the human-readable string or hex representation of the label. It is a valid option when the tsol policy is specified.

-nprofile_name

Specifies the name of the profile associated with the exec_attr entry.

-ppolicy

Specifies the policy (tsol or suser) associated with the new exec_attr entry. If this option is not specified,
the default is suser.

-Ppriv_to_add1...

Specifies the privilege name(s) or privilege number(s) to add to the modified exec_attr entry. Additional privileges may be specified by specifying the -P multiple times. It is a valid option when the tsol policy is specified.

-Rpriv_to_delete1...

Specifies the privilege name(s) or privilege number(s) to delete from the exec_attr entry. Additional privileges may be specified by specifying the -R multiple times. It is a valid option when the tsol policy is specified.

-ttype

Specifies the type cmd for command, or type act for CDE action.

-ueuid

(Optional) Specifies the new effective user ID that executes with the command or CDE action.

-Uuid

(Optional) Specifies the new real user ID that executes with the command or CDE action.

EXAMPLES

Example 1 Adding an exec_attr database entry

The admin role connects to port 898 (which happens to also be the default) of the aviary server on the nis:/birds/aves.Sun.COM domain, and adds a new exec_attr entry for the User Manager profile. The
entry type is act for the CDE action ReloadApps;*;*;*;0. The action has a clearance of Top Secret Able Baker, a label of confidential, and a policy of tsol. The administrator is prompted for
the admin password.

Example 2 Deleting an exec_attr database entry

The admin role deletes the ReloadResources;*;*;*;0 CDE action entry in the exec_attr database for the User Manager profile. Since no authorization arguments were specified, the administrator connects to port 898 of the local host on the local server with the file domain type, which are the defaults. The administrator is prompted for the admin password.

Example 3 Modifying an exec_attr database entry

The admin role modifies the attributes of the exec_attr database entry for the User Manager profile. The ReloadApps;*;*;*;0 CDE action entry is modified to execute with a clearance of Secret Able. The
administrator is prompted for the admin password.

ENVIRONMENT VARIABLES

See environ(5) for a description of the JAVA_HOME environment variable, which affects the execution of the smexec command.
If this environment variable is not specified, the /usr/java location is used. See smc(1M).

EXIT STATUS

The following exit values are returned:

0

Successful completion.

1

Invalid command syntax. A usage message displays.

2

An error occurred while executing the command. An error message displays.

ATTRIBUTES

SUMMARY OF TRUSTED SOLARIS CHANGES

To add, modify, or delete an entry in the exec_attr database, the administrator must have the solaris.profmgr.execattr.write authorization.

The -C, -L, and -P options may be specified for the add and modify subcommands. The -p option may be specified for the add, modify, and delete
subcommands. Input for a CDE action may be specified with most options.